Program stats

Latest hall of famers

Recently joined this program

807 total

Heroku lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling. We are strong believers in free and open source software, and much of our code is available on our GitHub page. We are offering cash rewards on an ongoing basis for valid vulnerabilities, subject to the rules and terms of participation. The goal of this bounty is to find vulnerabilities which affect the confidentiality, integrity, or availability of our services and code run by us or our customers.

Getting Started

Heroku customer applications are out of scope for this program; you may only test against Heroku properties. Submissions for *.herokuapp.com applications will be treated as out of scope.
You can identify public-facing Heroku properties by their EV SSL certificates.

Please consult the Focus Areas below for more information about the different components that make up Heroku.

Out of scope

Focus Areas

Heroku Platform

Our main product and focus area for security, the platform itself is what all of the other targets support (and where most of them run).

Developers can create applications written in Ruby, Node.js, Java, Python, Clojure, Scala, Go, and PHP and deploy them on our platform. Once deployed, the application is assembled into a slug, which is then run on a dyno.

Terminology:

dyno: A dyno is a lightweight Linux container that runs a single user-specified command. A dyno can run any command available in its default environment (what we supply in the stack) or in your app’s slug.

slug: A compressed and pre-packaged copy of your application and its dependencies

buildpack: The scripts that power app builds on Heroku. Buildpacks are responsible for transforming deployed code into a slug, which can then be executed on a dyno.

What to look for:

A dyno should only be accessible to authorised users, we are thus particularly interesting in issues that could lead to privilege escalation or break out from the user dyno. Issues that allow one customer dyno to interact with another customers dyno, or to intercept traffic from another dyno.

Heroku API

The platform API (api.heroku.com) is how developers interact with the Heroku Platform. You can use the platform API to programmatically create apps, provision add-ons and perform other tasks. Most Heroku tools (such as the CLI and dashboard) all interact with the Heroku platform through the API.

Other Heroku products that are not part of the Heroku Dashboard can be accessed via the main navigation. Some of those products are Heroku Data, Dataclips, and Heroku Connect (Heroku/Salesforce Integration).

Heroku CLI

The Heroku Command Line Interface (CLI), formerly known as the Heroku Toolbelt, is a tool for creating and managing Heroku apps from the command line / shell of various operating systems. It is written in Go and Node and interacts with the Heroku Platform API.

Heroku Connect

Heroku Connect is an add-on that synchronizes data between your Salesforce organization and a Heroku Postgres database. You can follow the getting started documentation to provision an application with Heroku Connect and use the free Demo plan for testing.

Only the Heroku endpoints are in scope. Do not perform testing or attacks against any non-Heroku Salesforce URIs.

Heroku Docker Builds

A new build system powered by Docker, which allows building of slugs based on Docker images. A custom heroku.yml can be used to specify the Dockerfile to use and specify add-ons and config vars to create during app provisioning.

Apache Kafka on Heroku

This is an expensive add-on and we do not have a free tier at this time for testing. However, we are interested in any vulnerabilities you may discover in Apache Kafka that are specific to our deployment.
Apache Kafka on Heroku is an add-on that provides Kafka as a service with full integration into the Heroku platform.

Apache Kafka is a distributed commit log for fast, fault-tolerant communication between producers and consumers using message based topics. Kafka provides the messaging backbone for building a new generation of distributed applications capable of handling billions of events and millions of transactions, and is designed to move large volumes of ephemeral data with a high degree of reliability and fault tolerance.

Beta Features

Account Creation

You MUST use the [USERNAME]@bugcrowdninja.com email alias when signing up for heroku.com accounts that will be used to participate in this bounty.

For example, if your Bugcrowd username is researcher, you must use researcher@bugcrowdninja.com. If you require multiple accounts, you can make use of the alias sub-addressing feature and signup with an email address such as researcher+randomstring@bugcrowdninja.com.

Accounts not following these rules will be suspended without warning.

Out-of-Scope Targets

Customer applications.

3rd-Party Heroku Add-On Providers.

AWS S3 Buckets not mentioned in Heroku documentation, or interacted with from a Heroku service.

Any bug involving an S3 bucket must have clear repeatable instructions detailing how the bucket name was obtained e.g. “The Heroku Dashboard performs a direct upload to bucket name xyz” or “The buildpack source code at github.com/heroku/foo contains the bucket name xyz”

Out-of-Scope Findings

The following vulnerability classes are explicitly excluded from the bounty, and will not be rewarded unless a reproducible proof-of-concept demonstrating a clear and significant impact to the Heroku platform or it’s users can be provided. tl;dr - If it is exploitable, or affects other users of the platform, we want to know about it.

Disclosure of known public files or directories (e.g. robots.txt, crossdomain.xml).

Legal

If you're on any U.S. government denied-party list or live in a country that is on such a list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.

We, of course, reserve the right to cancel or modify this program at any time and the ultimate decision over an award, whether to give one and in what amount, is a decision that lies entirely within our discretion.